Private Google Docs at Home using SeaFile and LibreOffice Online



The following are unfinished notes for a presentation I am giving at Boston Linux and Unix on 15 June 2022.

Unfortunately, I was not able to get Let's Encrypt working in my demo environment and I had to stop and save what I have, so I can present.

Agenda for the live presentation:

Hopefully I can follow up by the middle of July with a fixed version of my original version of this howto document.


This howto makes the following assumptions. If your environment or preferences are different, adjust accordingly:


Avahi / Zeroconf / Bonjour

For local name resolution, I find it's helpful to install Ubuntu's avahi-daemon package.

sudo apt install avahi-daemon

You'll need an Avahi or Zeroconf or Bonjour daemon installed on each client machine that you'll be using for system administration. On Windows, to get Apple's Bonjour client, I downlaoded an Itunes installer and extracted the bonjour installer from inside it, and ran that.

Alternatively, you can edit your /etc/hosts or C:\Windows\System32\drivers\etc\hosts file on your sysadmin client machine, and enter the server's IP address.

Encrypted Storage

For my servers, I like to have all my stored data encrypted. Ubuntu allows you to setup full disk encryption during installation, but it assumes that you have access to a hardware console to unlock the encryption, every time you reboot the server.

My approach is different. I use Gocryptfs to unlock an encrypted overlay filesystem after the system is partially booted up. After I unlock storage, Systemd resumes startup and launches all normal services.

if you do not want to use disk encryption, skip this whole section and the next one about Send Email After Reboot. Go to MariaDB.

# Install Gocryptfs.
sudo apt install gocryptfs

# Create Gocryptfs container.
sudo mkdir -p /srv/priv.encrypted /srv/priv
sudo gocryptfs --init /srv/priv.encrypted
Choose a password for protecting your files.

Your master key is:


If the gocryptfs.conf file becomes corrupted or you ever forget your password,
there is only one hope for recovery: The master key. Print it to a piece of
paper and store it in a drawer. This message is only printed once.
The gocryptfs filesystem has been created successfully.
You can now mount it using: gocryptfs /srv/priv.encrypted MOUNTPOINT

Don't ignore the warning about the password. DO NOT LOSE your encryption password; if you lose it, there is no possible way to recover it except by guessing.

# Test mounting the container.
sudo gocryptfs /srv/priv.encrypted /srv/priv
Decrypting master key
The option "-allow_other" is set. Make sure the file permissions protect your data from unwanted access.
Filesystem mounted and ready.
# Add to fstab.
sudo nano /etc/fstab


# Add this to the end...

# encrypted storage
/srv/priv.encrypted  /srv/priv  fuse./usr/bin/gocryptfs noauto,allow_other 0 0
# Test mounting via fstab.
sudo umount /srv/priv
sudo mount /srv/priv

You should see "Filesystem mounted and ready" again.

The next few steps setup Systemd only boot up enough to start sshd and then pause and wait for you to unlock encryption before starting everything else.

These steps assume that all of your service daemons (except for SSH) depend on encrypted storage.

All of the daemon launches are deferred until after you login and unlock the encrypted storage.

sudo nano /etc/systemd/system/


Description=System before Decryption
Conflicts=rescue.service rescue.service
# Setup symlinks to before-decrypt required services
sudo su
mkdir /etc/systemd/system/
cd /etc/systemd/system/
for i in /lib/systemd/system/* ; do
   ln -s /lib/systemd/system/$(basename $i) .
ln -s /etc/systemd/system/syslog.service .
ln -s /lib/systemd/system/ssh.service .

sudo nano /etc/systemd/system/


Description=Decrypted System
Conflicts=systemd-ask-password-console.path systemd-ask-password-console.service systemd-ask-password-plymouth.path systemd-ask-password-plymouth.service
Requires=srv-priv.mount start-full-system.service
sudo nano /etc/systemd/system/start-full-system.service


Description=Start full system after decryption

ExecStartPre=/bin/systemctl is-active --quiet
ExecStart=/bin/systemctl --no-block start
sudo touch /usr/local/bin/unlock-priv
sudo chmod +x /usr/local/bin/unlock-priv
sudo nano /usr/local/bin/unlock-priv



if findmnt /srv/priv >/dev/null; then
  Already unlocked

echo -
echo - Unlocking /srv/priv
sudo mount /srv/priv

if ! findmnt /srv/priv >/dev/null; then

echo -
echo - Binding encrypted folders elsewhere in the filesystem
# (To be filled in later when setting up individual services)

echo -
echo - Resuming system startup
sudo systemctl start

To test it, reboot and then login and run unlock-priv

sudo unlock-priv
- Unlocking /srv/priv
Decrypting master key
The option "-allow_other" is set. Make sure the file permissions protect your data from unwanted access.
Filesystem mounted and ready.
- Binding encrypted folders elsewhere in the filesystem
- Resuming system startup

Later on in this guide we'll create data folders for services and move them to the encrypted volume.

Send Email After Reboot

If you use my encrypted storage setup, you'll want to be notified by email when the server has been rebooted, so that your services that depend on encrypted storage aren't stuck offline.

You will need an email provider that provides SMTP access. Check your email provider's documentation.

# Install msmtp
sudo apt install msmtp

# Disable Apparmor's profile for msmtp
sudo ln -s /etc/apparmor.d/usr.bin.msmtp /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.msmtp
# (You might get an error saying the profile doesn't exist. Ignore that.)

# Configure msmtp
sudo mkdir -p /root/.config/msmtp
sudo nano /root/.config/msmtp/config


port 587
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt

account systemnotices
host FIXME
auth on
user FIXME
password FIXME

account default : systemnotices

Change the from value to your own email address.

# Create a script to send a one-line email from CLI parameters
sudo touch /usr/local/bin/mail-sysadmin-oneline
sudo chmod +x /usr/local/bin/mail-sysadmin-oneline
sudo nano /usr/local/bin/mail-sysadmin-oneline




msmtp -- $email <<ENDSYSADMINMAIL
To: $email
Subject: [tulip] $subject


Change the email value to your own email address and change tulip in the Subject to the name you've given your server.

# Test sending one email
sudo mail-sysadmin-oneline "test!"
# You should get an email.

# Make a systemd service to send mail after reboot
sudo nano /etc/systemd/system/mail-on-reboot.service


Description=Email After Reboot

# send message "rebooted"
ExecStart=/bin/bash /usr/local/bin/mail-sysadmin-oneline rebooted

sudo systemctl enable mail-on-reboot.service

Reboot to test it. You should get an email when the system is ready for you to SSH in.

Really, don't forget after every reboot now, you need to SSH in and run unlock-priv.

Now you're ready to install MariaDB, SeaFile, and Collabora Office Online!


We use MariaDB for Seafile's metadata storage.

# Install MariaDB
sudo apt install mariadb-server mariadb-client

If you are using encrypted storage as described above, now you should move your MariaDB data folder to encrypted storage.

sudo systemctl stop mariadb
sudo mkdir -p /srv/priv/var/lib
sudo mv /var/lib/mysql /srv/priv/var/lib/mysql
sudo mkdir /var/lib/mysql
sudo chown mysql.mysql /var/lib/mysql
sudo nano /etc/fstab # add the following line, and save
/srv/priv/var/lib/mysql  /var/lib/mysql  none  noauto,bind  0  0
sudo nano /usr/local/bin/unlock-priv


# Add the following after "echo - Binding encrypted folders..."
sudo mount /var/lib/mysql
# And finally, mount the bound folder and restart MariaDB.
sudo mount /var/lib/mysql
sudo systemctl start mariadb
# Create MariaDB user and two databases for Seafile
sudo mysql
create database seafile;
create database seafile_hub;
create database seafile_ccnet;
create user 'seafile'@'localhost' identified by 'FIXME';
grant all privileges on seafile.* to 'seafile'@'localhost';
grant all privileges on seafile_hub.* to 'seafile'@'localhost';
grant all privileges on seafile_ccnet.* to 'seafile'@'localhost';

Don't forget to fill in the FIXME value for the password. You should use a unique password just for Seafile's databases, and make a note of it so you can fill it in in the next steps.


Seafile and Collabora LibreOffice Online work best if you are using a public Internet hostname and HTTPS protocol to access them, even if you are connecting from inside the same private network. provides free DNS names to resolve a hostname to your public IP address. The free service plan includes up to 5 hostnames.

  1. Click the "Sign up Free" link and fill out the form. Make sure you answer follow the instructions in the verification email they send you.
  2. Go to the "Subdomains" page and click "Add".
  3. Choose record Type "A".
  4. Fill in your subdomain name (your personal identifier -- example "tulip").
  5. Pick a domain. (I like to use "", but they have dozens to choose from.)
  6. Fill in the IP address. This field defaults to the public IP address you're connecting from, and you should probably leave that value.
  7. Fill in the CAPTCHA and click "Save!"

Repeat the steps again -- you will need a second hostname for the Collabora LibreOffice Online application. I recommend you use the same subdomain, but with an added -cool. Example:

You may have to wait 5 to 10 minutes after you create the hostname before you can use it. Try pinging your hosname every few minutes, until you find that the name resolves.


You probably have a dynamic IP address set by your ISP. You might want to install a Dynamic DNS updater on your server or on your home router to update every time your IP address changes. See FAQ Question #2 on's web site for more deatils on this process.


These steps are based on the Install using MySQL instructions from Seafile.

# Install Seafile prerequisite Ubuntu packages
sudo apt-get install python3 python3-setuptools python3-pip build-essential python3-dev \
    libmemcached-dev libmariadb-dev-compat python3-pymysql
# Install Seafile prerequisite PyPI packages
sudo pip3 install --timeout=3600 Pillow pylibmc captcha jinja2 sqlalchemy==1.4.3 \
    django-pylibmc django-simple-captcha python3-ldap mysqlclient
# Create a system user for Seafile
sudo adduser seafile
# Fill in the new password prompt, and you can leave the rest of the fields blank.

# Download and unpack Seafile
sudo su - seafile
mkdir -p ~/seafile/installed
cd ~/seafile/installed
# Get the URL for "Server for generic Linux" from
# Fill it in here for URL
wget URL
cd ~/seafile
tar zxf ~/seafile/installed/seafile-server_*.tar.gz
cd seafile-server-*

Some notes about how to fill out the options in the setup wizard:

server name
The short one-word local name of your server.
This server's ip or domain
The public full DNS name you setup at (ex: "")
port for the seafile fileserver
Default is 8082, but if you choose something else, I explain how to set it up correctly in a later step.
way to initialize seafile databases
Choose 2 -- Use existing databases.
database name for ccnet
database name for seafile
database name for seahub

"seafile file server" is the back-end API server. "seahub" is the main HTTP server that serves web pages for the app.

After the setup wizard is done, it tells you the ports for "seafile file server" and "seahub". It didn't ask you for the port number for "seahub"; it just assumed port 8000.

If you want to change either of the ports, find them here:

seafile file server (back-end API server)
~/seafile/conf/seafile.conf β†’ port
seahub (front-end server)
~/seafile/conf/ β†’ bind (change the port number after ":")

My Seafile instance doesn't work right unless I hard-code my public URL into ~/seafile/conf/ccnet.conf and ~/seafile/conf/


# Add the following two lines at the top:


# Add the following before the "DATABASES" value:
SERVICE_URL = '' # fill in your DNS name
FILE_SERVER_ROOT = '' # fill in your DNS name

Next, create Systemd services for Seafile:

If you are logged into a shell as seafile, you can't run admin commands. Use the exit to get back to the shell of your admin user.

sudo nano /etc/systemd/system/seafile.service


# add mysql.service or postgresql.service depending on your database to the line below mariadb.service

ExecStart=/home/seafile/seafile/seafile-server-latest/ start
ExecStop=/home/seafile/seafile/seafile-server-latest/ stop

sudo nano /etc/systemd/system/seahub.service


Description=Seafile hub seafile.service

# change start to start-fastcgi if you want to run fastcgi
# change the port in the next line if you are using a different port for seahub
ExecStart=/home/seafile/seafile/seafile-server-latest/ start 8000
ExecStop=/home/seafile/seafile/seafile-server-latest/ stop

sudo systemctl enable seafile seahub
sudo systemctl start seafile seahub

If you are using encrypted storage as described above, now you should move your Seafile data folder to encrypted storage.

sudo systemctl stop seafile seahub

sudo mkdir -p /srv/priv/home
sudo mv /home/seafile /srv/priv/home/seafile
sudo mkdir /home/seafile
sudo chown seafile.seafile /home/seafile
sudo nano /etc/fstab # add the following line, and save
/srv/priv/home/seafile  /home/seafile  none  noauto,bind  0  0
sudo nano /usr/local/bin/unlock-priv


# Add the following after "echo - Binding encrypted folders..."
sudo mount /home/seafile
# And finally, mount the bound folder and restart MariaDB.
sudo mount /home/seafile
sudo systemctl start seafile seahub

And finally, create your admin user:

sudo su - seafile
# fill in email address and password

Seafile is almost ready to use, but you have to configure Apache web server in front of it next.

Configure Your Modem or Router

You will need to setup a forwarded port from your home modem or router to the internal IP address of your server. Look in your router's documentation.

In my Verizon FIOS router, under Advanced settings, there is a Security & Firewall β†’ Port Forwarding page. Here you see that I mapped ports 80 and 443 to my home file server.


Apache Web Server

# Install Apache
sudo apt install apache2

# Enable mod_proxy_http and mod_rewrite
sudo a2enmod proxy_http proxy_wstunnel rewrite
sudo systemctl restart apache2

# Setup a self-signed certificate
# Change '' to your main hostname from
sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/private/ -out /etc/ssl/private/
# Fill in anything for most fields. "Common Name" must be the exact DNS name.

# Repeat for your '-cool' hostname:
sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/private/ -out /etc/ssl/private/

Now edit your "-le-ssl.conf" file (example tulip-le-ssl.conf) and fill in the Seafile proxy configuration:

# Create a site file listening on a particular hostname
sudo nano /etc/apache2/sites-available/tulip.conf # (Use your Seafile service short name here)


<VirtualHost *:80>
# Fill in your Seafile DNS name from
RewriteEngine on
RewriteCond %{SERVER_NAME}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:443>
# Fill in your Seafile DNS name from

SSLEngine on
SSLCertificateFile /etc/ssl/private/
SSLCertificateKeyFile /etc/ssl/private/

Alias /media /home/seafile/seafile/seafile-server-latest/seahub/media
<Location /media>
    Options FollowSymLinks
    Require all granted

RewriteEngine On

# seafile fileserver - fill in "seafile file server" port from Seafile config (default 8082)
ProxyPass /seafhttp
ProxyPassReverse /seafhttp
RewriteRule ^/seafhttp - [QSA,L]

# seahub server - fill in "seahub" port from SEafile config (default 8000)
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
ProxyPreserveHost On
ProxyPass / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
# Create another one for Collabora LibreOffice Online
sudo nano /etc/apache2/sites-available/tulip-cool.conf # (Use your Seafile service short name here)


<VirtualHost *:80>
# Fill in your Collabora LibreOffice Online DNS name from
RewriteEngine on
RewriteCond %{SERVER_NAME}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:443>
# Fill in your Collabora LibreOffice Online DNS name from

SSLEngine on
SSLCertificateFile /etc/ssl/private/
SSLCertificateKeyFile /etc/ssl/private/

AllowEncodedSlashes NoDecode
ProxyPreserveHost On

# static html, js, images, etc. served from coolwsd
# browser is the client part of Collabora Online
# !! You can change port 8003 to whatever port you will use for COOL:
ProxyPass           /browser retry=0
ProxyPassReverse    /browser

# WOPI discovery URL
ProxyPass           /hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery

# Capabilities
ProxyPass           /hosting/capabilities retry=0
ProxyPassReverse    /hosting/capabilities

# Main websocket
ProxyPassMatch      "/cool/(.*)/ws$"      ws://$1/ws nocanon

# Admin Console websocket
ProxyPass           /cool/adminws ws://

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /cool
ProxyPassReverse    /cool
# Compatibility with integrations that use the /lool/convert-to endpoint
ProxyPass           /lool
ProxyPassReverse    /lool
# Enable the sites
sudo a2ensite tulip tulip-cool
sudo systemctl restart apache2

Now Seafile should be accessible at on your client machine (where is your DNS name from

On EVERY CLIENT, before you use either of the sites, you must do the following:

  1. Go to in your browser (fill in your main hostname).
  2. Navigate through the warning about the self-signed certificate, and accept the certificate.
  3. Go to (fill in your COOL hostname).
  4. Accept the certificate in the same way.

Here is a screenshot of the self-signed certificate warning in Firefox-descended browsers:


Collabora LibreOffice Online

We will install the Ubuntu packages for Collabora LibreOffice Online. Following the Collabora Online "Install from packages β†’ Ubuntu 22.04" documentation:

cd /usr/share/keyrings
sudo wget
sudo tee /etc/apt/sources.list.d/collaboraonline.sources << EOF
Types: deb
Suites: ./
Signed-By: /usr/share/keyrings/collaboraonline-release-keyring.gpg
sudo apt update
sudo apt install coolwsd code-brand

Based on the configuration documentation, edit your Collabora LibreOffice Online config file.

sudo nano /etc/coolwsd/coolwsd.xml


<!-- in the "net" section... -->

  <!-- change "proto" to IPV4 -->
  <!-- <proto type="string" default="all" desc="Protocol to use IPv4, IPv6 or all for both">all</proto> -->
  <proto type="string" default="all" desc="Protocol to use IPv4, IPv6 or all for both">IPv4</proto>

  <!-- change "listen" to only on loopback address -->
  <!-- <listen type="string" default="any" desc="Listen address that coolwsd binds to. Can be 'any' or 'loopback'.">any</listen> -->
  <listen type="string" default="any" desc="Listen address that coolwsd binds to. Can be 'any' or 'loopback'.">loopback</listen>

  <!-- in the "ssl" section... -->

    <!-- Disable TLS (on the back-end) -->
    <!-- <enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable> -->
    <enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>

    <!-- Enable usage behind proxy server -->
    <!-- <termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination> -->
    <termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool" default="true">true</termination>
# Install coolwsd service
sudo cp /usr/lib/systemd/system/coolwsd.service /etc/systemd/system/coolwsd.service

# Add a port number
sudo nano /etc/systemd/system/coolwsd.service


# Edit this line...
# Fill in the port you used in the "-cool" Apache config file.
ExecStart=/usr/bin/coolwsd --version --o:sys_template_path=/opt/cool/systemplate --o:child_root_path=/opt/cool/child-roots --o:file_server_root_path=/usr/share/coolwsd --port=8003
# Set password and install service
sudo coolconfig set-admin-password
sudo systemctl stop coolwsd
sudo systemctl disable coolwsd
sudo systemctl enable coolwsd
sudo systemctl start coolwsd

sudo su - seafile
nano ~/seafile/conf/


# Add to the end...

OFFICE_SERVER_TYPE = 'CollaboraOffice'
WOPI_ACCESS_TOKEN_EXPIRATION = 5 * 60 * 60 # seconds
    'odp', 'ods', 'odt', 'xls', 'xlsb', 'xlsm', 'xlsx','ppsx', 'ppt', 'pptm', 'pptx', 'doc', 'docm', 'docx'
    'odp', 'ods', 'odt', 'xls', 'xlsb', 'xlsm', 'xlsx','ppsx', 'ppt', 'pptm', 'pptx', 'doc', 'docm', 'docx'
exit # logout as Seafile user
sudo systemctl restart seahub


